Source Code Likely Lifted in Google Attacks

McAfee's CTO says hackers broke into computers of employees with privileged access to attack source code management software such as that made by Perforce Software, which Google and a number of other companies employ in their operations.

Details of January's attacks on Google and other companies by allegedly China-based
hackers are continuing to emerge. George Kurtz, CTO
of antivirus software maker McAfee, on March 3 said the hackers stole valuable
source code, breaking into the computers of employees with privileged access.

Google Chief Legal Officer David Drummond wrote in a blog post Jan. 12 that the attack
on Google's corporate infrastructure resulted in the theft of intellectual
property from the search giant, though he declined to specify what the hackers
stole.
Kurtz said he believes the hackers broke through the defenses of at least 30
companies and maybe as many as 100. The common link? The hackers often attacked
source code management software, or SCM, such
as the system from Perforce Software that Google and a number of other
companies employ in their operations.

According to Kurtz, hackers succeeded in stealing source code from several
of their victims.

He also said the attackers would have had an opportunity to change the
source code without the companies' knowledge, although investigators had yet to
find any evidence that the hackers made changes.
The dispute between China and Google expanded on two fronts March 2 with the
search giant suggesting to Congress that the issue of the attacks should be
brought before the WTO (World Trade Organization), while Sen. Dick Durbin threatened
to introduce legislation that would slap civil or criminal liabilities on
Internet companies that do not take steps to protect human rights.

After a March 2 hearing before the Senate Judiciary Subcommittee on Human
Rights and the Law, chaired by Durbin, examined IT industry business practices
in Internet-restricting countries, Bloomberg reported that the Obama
administration is considering raising the issue before the WTO. The effort
would force China
to publicly discuss the issue.

Durbin, meanwhile, urged Internet companies to adopt the voluntary code of
conduct known as the GNI (Global Network
Initiative). The code of conduct regulates the actions of technology companies
operating in countries that restrict the Internet. The GNI
currently has only three members: Google, Microsoft, and Yahoo. The group has
shown little progress.

"With a few notable exceptions, the information technology industry seems
unwilling to regulate itself and unwilling even to engage in a dialogue with
Congress about the serious human rights challenges the industry faces,"
Durbin said in a statement. "As a result, I plan to introduce legislation
that would require Internet companies to take reasonable steps to protect human
rights or face civil or criminal liability."

In February, Durbin sent letters to 30 technology companies asking them to join
the GNI and seeking more information about
their business practices in China.
Only AT&T, McAfee and Skype have committed to discussing joining the GNI,
while Websense has indicated that it will join if the membership fee is waived.

"Facebook, Twitter, HP [Hewlett-Packard] and Apple were all asked to
testify [at the March 2 hearing] and refused. McAfee agreed to testify at [the]
hearing but withdrew late last week," said a statement on Durbin's
Website.